I’ve got a long-running process where I’m trying to re-use the authentication token initially obtained but that token is eventually expiring. I’m trying to figure out whether I should be renewing the token or re-authenticating.
When I first authenticate, I get a JSON blob back like this:
{
"request_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "zzzzzzzzzzzzzzzzzzzzzzzzzz",
"accessor": "aaaaaaaaaaaaaaaaaaaaaaaa",
"policies": [
"default",
"sd_automation"
],
"token_policies": [
"default",
"sd_automation"
],
"metadata": {
"account_id": "999999999999",
"auth_type": "iam",
"canonical_arn": "arn:aws:iam::999999999999:role/vault_sd_automation",
"client_arn": "arn:aws:sts::999999999999:assumed-role/vault_sd_automation/vault_sd_automation",
"client_user_id": "AAAAAAAAAAAAAAAAAAAAA",
"inferred_aws_region": "",
"inferred_entity_id": "",
"inferred_entity_type": ""
},
"lease_duration": 2764800,
"renewable": true,
"entity_id": "qqqqqqqq-qqqq-qqqq-qqqq-qqqqqqqqqqqq",
"token_type": "service"
}
}
After about a month of the process running, the token expires and any subsequent attempts to retrieve secrets from Vault fail with permission denied.
The JSON blob seems to suggest that the auth token is renewable. However, if I try to renew the token with /auth/token/renew-self
, the returned JSON blob contains the following warning:
TTL of "768h0m0s" exceeded the effective max_ttl of "767h42m22s"; TTL value is capped accordingly
and the lease duration has not been reset to the originally-obtained TTL of 2764800. Repeated attempts to use that call continue to return a lower lease duration, showing that the token’s lifetime continues to run out.
If I use vault token lookup
then that does show a “last_renewal” date/time string so Vault does think I’m renewing the token but the clock still ticks down.
What am I misunderstanding? Will the token only get “properly” renewed when the TTL has expired? Or can I not extend the lifespan of the token this way and I should, instead, be re-authenticating?